1491337 - Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsexn.h:130 with OOM

Status: RESOLVED DUPLICATE of bug 1491350

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision efccb758c78c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):

oomTest(new Function(`
  let kJSEmbeddingMaxTypes = 1000000;
  let kJSEmbeddingMaxFunctions = 1000000;
  let kJSEmbeddingMaxImports = 100000;
  const known_failures = {};
  function test(func, description) {
    known_failures[description]
  }
  function testLimit(name, min, limit, gen) {
    test(() => {}, \`Validate \${name} mininum\`);
    test(() => {}, \`Async compile \${name} over limit\`);
  }
  testLimit("types", 1, kJSEmbeddingMaxTypes, (builder, count) => {});
  testLimit("functions", 1, kJSEmbeddingMaxFunctions, (builder, count) => {});
  testLimit("imports", 1, kJSEmbeddingMaxImports, (builder, count) => {});
`));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x568f79d6 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=0xffffb6cc, __in_chrg=<optimized out>) at js/src/jsexn.h:130
#0  0x568f79d6 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=0xffffb6cc, __in_chrg=<optimized out>) at js/src/jsexn.h:130
#1  0x568f4934 in js::jit::GetPropIRGenerator::tryAttachStub (this=0xffffb7e4) at js/src/jit/CacheIR.cpp:199
#2  0x56877f0d in js::jit::DoGetElemFallback (cx=<optimized out>, frame=0xf5cffdc8, stub_=0xf57360d0, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:1743
#3  0x56b949b0 in js::jit::Simulator::softwareInterrupt (this=0xf6e4e000, instr=0xf6e6f1f4) at js/src/jit/arm/Simulator-arm.cpp:2699
#4  0x56b951b6 in js::jit::Simulator::decodeType7 (this=0xf6e4e000, instr=0xf6e6f1f4) at js/src/jit/arm/Simulator-arm.cpp:3868
#5  0x56b92fc2 in js::jit::Simulator::instructionDecode (this=0xf6e4e000, instr=0xf6e6f1f4) at js/src/jit/arm/Simulator-arm.cpp:4848
#6  0x56b96dca in js::jit::Simulator::execute<false> (this=0xf6e4e000) at js/src/jit/arm/Simulator-arm.cpp:4903
#7  js::jit::Simulator::callInternal (this=0xf6e4e000, entry=0x40df6800 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4983
#8  0x56b96fe9 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:5066
#9  0x569a5608 in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x40e04068 "\004\340-\345\a") at js/src/jit/Jit.cpp:105
#10 0x569a622f in js::jit::MaybeEnterJit (cx=0xf6e1b800, state=...) at js/src/jit/Jit.cpp:170
#11 0x567382fa in js::RunScript (cx=0xf6e1b800, state=...) at js/src/vm/Interpreter.cpp:424
#12 0x56738a2c in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:579
#13 0x56738f20 in InternalCall (cx=cx@entry=0xf6e1b800, args=...) at js/src/vm/Interpreter.cpp:606
#14 0x567390da in js::Call (cx=0xf6e1b800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:625
#15 0x56bd5f87 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2914
#16 0x569ec7c6 in RunIterativeFailureTest (cx=<optimized out>, params=..., simulator=...) at js/src/builtin/TestingFunctions.cpp:1875
#17 0x569ed13a in OOMTest (cx=0xf6e1b800, argc=1, vp=0xf563b058) at js/src/builtin/TestingFunctions.cpp:2050
#18 0x5674596a in CallJSNative (cx=0xf6e1b800, native=0x569ed080 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:460
[...]
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10713
eax	0x0	0
ebx	0x573c5ff4	1463574516
ecx	0xf7d90864	-136771484
edx	0x0	0
esi	0x1	1
edi	0xffffb6d4	-18732
ebp	0xffffb688	4294948488
esp	0xffffb680	4294948480
eip	0x568f79d6 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+70>
=> 0x568f79d6 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+70>:	movl   $0x0,0x0
   0x568f79e0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+80>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/045ded11d3f8
user:        Lars T Hansen
date:        Fri Dec 15 13:10:23 2017 -0600
summary:     Bug 1430161 - Factor ARM disassembler, implement for ARM64.  r=nbp

This iteration took 1.324 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Lars, is bug 1430161 a likely regressor?

Comment 3

[Lars T Hansen [:lth]]

I do not think that bug is the regressor.

What's happening here is that a softwareInterrupt on the emulator calls to GetNativeDataPropertyByValue<true>, which signals an OOM (that happens deep down in its call tree) by returning a false value.  But softwareInterrupt() has no way of propagating that error and just drops it on the floor, so we hit the assert later.

In turn, GetNativeDataPropertyByValue is used as a callout from the emulator only by CacheIRCompiler::emitMegamorphicLoadSlotByValueResult().  So the proper addressee is probably Jan or Tom.

Comment 4

[Ted Campbell [:tcampbell]]

After Bug 1491350 is fixed, we should see if this is related.

Comment 5

[Jan de Mooij [:jandem]]

Forwarding to Iain per comment 4. Let me know if you need any help!

Comment 6

[Iain Ireland [:iain]]

This is the same bug as Bug 1491350, except with getNativePropertyByValue instead of hasNativeProperty. My fix for 1491350 already covers that case, so there shouldn't be anything left to do here.